The Rise of Ransomware: Backup and protect your data before you are forced to pay up

Introduction to Ransomware

As society’s dependency on technology only continues to escalate, so does the increase of threats to cyber security. In this day and age, everything the world does, from how people keep in touch via social media to how businesses do their bookkeeping, is digitized. With society’s ever-increasing dependency on technology, it should come as no surprise that criminals have found a way to use such dependence against people as a way to make a profit. The advent of ransomware is and has been both a troubling and growing problem that plagues people and companies of all varieties. With no end in sight, it is important for companies and individuals to understand the risks and aftermath of malware attacks as well as what can be done to both prevent and minimize as much damage as possible.

History and Current Versions of Ransomware

Believed to have generated in Russia in 2005, ransomware is software that is clandestinely installed on a computer and limits access to the victim’s data until a ransom is paid to the attackers. Initially a European problem, ransomware has continued to spread globally all while attackers are getting smarter and more advanced with their attacks [1].

There are two types of current, well-known ransomware: Crypto ransomware and Locker ransomware. Crypto ransomware is malware that encrypts important data, leaving it inaccessible without the key to unlock it. Locker ransomware is malware that completely locks users out of their computers but generally leaves files unencrypted [11].

Two of the most publicized ransomwares plaguing businesses and people alike are CryptoLocker and Locky. CryptoLocker appeared in early September 2013. Unlike earlier ransomware that would force people to pay a ransom by hiding their data, CryptoLocker actually encrypts the files. Once it infects computers, if there is not current backup in place, users have to either pay the ransom or lose the data [9].

Locky was released in February 2016. Locky targets all versions of Windows and demands ransom to be paid in the form of Bitcoins. Since it attacks all versions of Windows and is rather simple in design, it is a lucrative, newer ransomware that is wreaking havoc across the world [12].

Why is Ransomware so Popular among Attackers?

Ransomware like CryptoLocker and Locky are extremely popular among extortionists for a variety of reasons. First, it is a very effective, albeit illegal, way for attackers to make large amounts of money. Since the user’s data or computer is encrypted and/or locked, many people and companies are willing to pay the ransom in order to have their files returned. Furthermore, since attackers use hard to trace payment systems like Bitcoin, it makes them virtually impossible to catch [2].

The Rise of Ransomware

Data released by the United States Department of Justice states that ransomware infections have increased 300% from 2015 to 2016, with 4,000 attacks occurring daily in 2016. In 2015, cybersecurity company, BitSight, conducted a study that looked at the incidents of ransomware infections throughout six major industry divisions: retail, education, finance, government, energy/utilities and healthcare. The results of the study showed that no industry was left unscathed by ransomware but the highest increases in cyberattacks occurred in the government (a 2.96% increase) and education sectors (a 3% increase). The study confirmed the U.S. Department of Justice’s findings that ransomware infections are definitely on the rise [13].

While no industry remains untouched, there is a new trend of attackers targeting healthcare organizations and the reasons why are plentiful. Hospitals make ideal targets because they need to have up-to-date patient records and because they provide life or death care. By targeting the healthcare sector, attackers are more likely to get paid the ransoms because of pertinent information needed by the medical professionals [3]. Since doctors need real-time access to patient data that is computerized such as pharmacy orders, lab results and schedules, attackers know that infecting them likely means they can expect a large payout. Furthermore, patient records are more valuable than stolen credit cards, causing healthcare industry ransomware attacks to rise considerably—in 2015, one out of every three Americans had their medical record stolen [4].

The Effects of Being Attacked by Ransomware

The effects of being a victim of a ransomware attack can be immediate and severe. For example, in the healthcare industry, attacks are especially problematic because they directly affect patient care. First and foremost, infections result in delays in care [3]. Due to delays preventing the physicians from not having access to electronic records, communication is much slower because it has to be done either in person or via fax. Additionally, since x-rays, scans, medical history and labs cannot be easily accessed, not only does it result in delays, but in some cases, the relocation of patients to different hospitals [16]. Finally, lack of access to data and delays in care could ultimately lead to possible lawsuits or even death of patients [3].

Another effect of ransomware attacks is that companies are being forced to pay to unlock the data. For example, in 2015, there were at least two incidents where police departments paid ransoms to attackers in order to retrieve their data. In January, the Midlothian police department, located outside of Chicago, paid a ransom of $500 to attackers after their department was infected. Then in October, a sheriff’s office, located in Dickson County, Tenn., ultimately paid a ransom of $572 despite pursuing assistance from the FBI to catch the attackers [17]. Most recently, in February 2016, Hollywood Presbyterian Medical Center in Los Angeles paid extortionists $17,000 in Bitcoin after their computers were down for over a week due to a Locky ransomware attack [3].

How Does a Company Become Infected with Ransomware?

A ransomware attack is a fairly simple process. Infections happen through phishing or advertising that has compromised ads, also known as malvertising [3]. The virus usually comes in an email with an attachment. Once the attachment is opened, the ransomware starts to encrypt files [8]. Sometimes, attackers will send links to authentic sites that are infected with malware and unsuspecting victims go to the site and then are attacked from there [10]. After the data is encrypted, it alerts the victim that they have been targeted and must pay a ransom to the attacker by pre-determined deadline [8].

In the case of the healthcare industry, hospitals, specifically, are ill-equipped to deal with ransomware because of several reasons. They generally do not spend a lot on security and employees are not properly trained in cybersecurity [6]. Hospitals are also vulnerable because of a lack of staff and/or resources and because employees tend to focus on complying with HIPPA regulations rather than security [7] [3].

The Aftermath of a Ransomware Attack

Ransomware infections are extremely expensive for both individuals and businesses. In 2014, it was estimated by the FBI that the CryptoLocker type of malware cost victims $27 million in six months’ time [3]. Since then, extortion rates have increased exponentially causing Americans to spend $209 million in the first three months of 2016 due to ransomware infections [14]. Besides the actual ransom, it is also costly for victims because they incur large expenses for security software, tech support, consultants, lost earnings and missed work [18].

The aftermath of an attack is especially apparent in the healthcare industry. Between, 2014 and 2015, 91% of surveyed organizations experienced at least one data breach. In addition to costing the healthcare sector $6 billion a year, data breaches often result in medical record theft. In 2014, 2.3 million adults had their medical records stolen [7]. Medical records are a top choice for attackers to steal because they can sell the records for $60 each compared to stolen credit cards that only sell for $1-$3 each [5].

Dealing with medical record theft is problematic because files contain people’s birthdate, social security number and financial information. Not only do attackers have a victim’s confidential health history, they also have all the information they need to steal that person’s identity. People who have stolen medical records pay an average of $13,500 to repair the damage caused by the theft. To add to that, patients whose identities and records are stolen are offered little to no relief from the medical organization that it was stolen from because two-thirds of businesses do not have protection services for the victims [7].

A more alarming aftermath effect of malware attacks is that the thief’s personal information could end up in the victim’s medical records if they use a stolen identity to access their own medical care. This is especially dangerous because information such as the thief’s medications, allergies or blood type could be reported in the victim’s record potentially causing life-threatening problems [7].

An additional lasting effect of infections is that even when victims pay the ransom, their data is not always returned by the attackers. It is very possible that organizations will lose data permanently because they may not have Bitcoins on hand to pay before the deadline. Attackers usually give about 48 hours for victims to pay the ransom but it takes three to five days to get Bitcoins. It also has happened that the attackers will attack the same company again even after being paid [15].

What Defenses and Data Protection Solutions are Available for the ransomware crisis?

There are a number of defenses and solutions to help prevent and disable malware attacks. First and foremost, experts recommend companies implement mandatory employee training about the importance of cybersecurity [4]. In addition to training employees, companies are encouraged to utilize firewalls and regularly backup data [1] [4]. It is also vital that organizations limit access to certain areas of the network to smaller groups of people and to have up-to-date protection software [3] [4]. If an attack is made, the best thing to do immediately is to close down the network because it will help prevent the ransomware from spreading [3].